Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File packed with UPX crash and does not start #33

Closed
Mrgaton opened this issue Feb 18, 2023 · 9 comments
Closed

File packed with UPX crash and does not start #33

Mrgaton opened this issue Feb 18, 2023 · 9 comments

Comments

@Mrgaton
Copy link

Mrgaton commented Feb 18, 2023

I tried to convert files packed with upx to reduce shellcode size but doesn't just not work but increases shell code size than normal file to shell code link to upx : https://github.com/upx/upx
@Mrgaton
Copy link
Author

Mrgaton commented Feb 18, 2023

By the way, very good work, @hasherezade , you saved my life with this project.

@hasherezade
Copy link
Owner

hi @Mrgaton ! thanks for reporting, I will check it soon

@hasherezade
Copy link
Owner

hasherezade commented Mar 5, 2023
edited
Loading

@Mrgaton - I checked it but I wasn't able to reproduce the crash. Can you please send me the file that was crashing to my e-mail: hasherezade-at-protonmail.com?

The increased shellcode size may come from the fact that during the shellcodification PE is converted to the virtual format, so that it can be loaded in-place, without allocating additional memory. It is also allow the shellcodes to be injected in the processes with DCP (dynamic code prohibited) enabled. More details described in this thread: #19 . Files that are packed, are normally smaller on disk, but they expand significantly in memory. And during the conversion, the size for all expanded content is reserved. In the future, I will add it as an option for the user to choose what type of result do they want to achieve - smaller size of the shellcode, or loading in-place, without additional allocations.

One issue that I observed with UPX, is that, sometimes during the compression UPX removes relocation table. And the pe2shc is set not to proceed if the file has no relocations. So you may see a message like this:

no_reloc

But in cases where UPX leaves relocation table, I had no problems converting and then running the converted versions.
Those are my testcases. It is LoadOrd from Sysinternals, in 32 and 64 bit version, packed with the UPX v4.0.2:

The generated shellcodes:
LoadOrd_upx.shc.zip

test32b

test2

So, in order to be able help your case, I would need to see your file and investigate deeper what exactly went wrong.

@Mrgaton
Copy link
Author

Mrgaton commented Mar 5, 2023
edited
Loading

i was using the option --best on upx options and on a dll but ill try again

@hasherezade
Copy link
Owner

@Mrgaton - I tried with the option --best too, and still could not reproduce the crash. All my converted samples worked.

@Mrgaton
Copy link
Author

Mrgaton commented Mar 7, 2023

Maibye was upx fault or my program fault sorry ill do some more test

@hasherezade
Copy link
Owner

ok, please double-check and let me know

@Mrgaton
Copy link
Author

Mrgaton commented Mar 7, 2023

Yes, I tried the test again and worked perfectly, it just increased the size of the shell code file sorry to waste your time was probably or my fault dell or I don't know.

@Mrgaton Mrgaton closed this as completed Mar 7, 2023
@hasherezade
Copy link
Owner

no probs, I am glad that it got solved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hasherezade @Mrgaton